Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-04-2021 06:12
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 견적요청_해성190918.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ 견적요청_해성190918.exe
Resource
win10v20201028
General
-
Target
RFQ 견적요청_해성190918.exe
-
Size
467KB
-
MD5
cd70300691bc9f2a261dc6b814ea31a0
-
SHA1
255a24ace53039f262cc74bcda27541a4c3eeaaf
-
SHA256
5b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
-
SHA512
f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5
Malware Config
Extracted
xloader
2.3
http://www.mappmake.com/hrqs/
xaydungdahoacuonghoanglong.com
bigbladesharpeningservice.com
lafabricadestock.com
anothersanitizerbusiness.com
vidahproperties.com
peoples.mba
lucrumglobaltrading.com
saucywhite.com
larissabarros.com
sybjs.net
crasvaleasingn.com
helpmelabit.com
physiciansimpact.com
graduacionesdemexico.com
banhflanquynhhoa.com
jn163.com
startzassets.com
kutrasoftware.com
karasknots.com
tupetmarketingdigital.com
quranwords.net
kingdomvets.com
hiluotime.com
arovess.com
curtex.info
bedbugdude.com
theknowledgenoodles.com
exhibit42.com
laurencondick.com
wytchwoodhollow.com
privatevpnserver.com
fitnesshred.com
nw21salon.com
approved15.info
mgenevieve.com
flagshiplandscape.com
kristinlindvall.com
pheliamoore.com
kebabakini.com
peercondescend.life
fzazb.com
frictionlessdlp.com
tk-ltd.com
procrafthomesolutions.com
cxcontractorsllc.com
qqwiwee.com
idiaricuriosi.com
vietskills.com
poker6plusholdem.com
ti22.online
roostercollection.com
felinecures.com
lankaboy.com
fafq000.icu
thedigitalfuture.net
naturistanbul.com
q4payments.com
hcloudanalytics.com
cerebralcompost.com
sarklark.com
morethanascribble.com
lsbiofarm.com
vetaskills.com
tklaserworks.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/992-80-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/992-81-0x000000000041D020-mapping.dmp xloader behavioral1/memory/884-92-0x00000000000C0000-0x00000000000E8000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
RFQ.exeRFQ.exepid process 576 RFQ.exe 992 RFQ.exe -
Loads dropped DLL 1 IoCs
Processes:
RFQ 견적요청_해성190918.exepid process 1676 RFQ 견적요청_해성190918.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1676-64-0x00000000004A0000-0x00000000004C1000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ = "C:\\Users\\Admin\\AppData\\Roaming\\RFQ.exe" reg.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
RFQ.exeRFQ.exesvchost.exedescription pid process target process PID 576 set thread context of 992 576 RFQ.exe RFQ.exe PID 992 set thread context of 1312 992 RFQ.exe Explorer.EXE PID 992 set thread context of 1312 992 RFQ.exe Explorer.EXE PID 884 set thread context of 1312 884 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
RFQ 견적요청_해성190918.exeRFQ.exeRFQ.exesvchost.exepid process 1676 RFQ 견적요청_해성190918.exe 1676 RFQ 견적요청_해성190918.exe 1676 RFQ 견적요청_해성190918.exe 1676 RFQ 견적요청_해성190918.exe 1676 RFQ 견적요청_해성190918.exe 576 RFQ.exe 576 RFQ.exe 992 RFQ.exe 992 RFQ.exe 992 RFQ.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe 884 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RFQ.exesvchost.exepid process 992 RFQ.exe 992 RFQ.exe 992 RFQ.exe 992 RFQ.exe 884 svchost.exe 884 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RFQ 견적요청_해성190918.exeRFQ.exeRFQ.exesvchost.exedescription pid process Token: SeDebugPrivilege 1676 RFQ 견적요청_해성190918.exe Token: SeDebugPrivilege 576 RFQ.exe Token: SeDebugPrivilege 992 RFQ.exe Token: SeDebugPrivilege 884 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
RFQ 견적요청_해성190918.execmd.exeRFQ.exeExplorer.EXEsvchost.exedescription pid process target process PID 1676 wrote to memory of 1628 1676 RFQ 견적요청_해성190918.exe cmd.exe PID 1676 wrote to memory of 1628 1676 RFQ 견적요청_해성190918.exe cmd.exe PID 1676 wrote to memory of 1628 1676 RFQ 견적요청_해성190918.exe cmd.exe PID 1676 wrote to memory of 1628 1676 RFQ 견적요청_해성190918.exe cmd.exe PID 1628 wrote to memory of 1016 1628 cmd.exe reg.exe PID 1628 wrote to memory of 1016 1628 cmd.exe reg.exe PID 1628 wrote to memory of 1016 1628 cmd.exe reg.exe PID 1628 wrote to memory of 1016 1628 cmd.exe reg.exe PID 1676 wrote to memory of 576 1676 RFQ 견적요청_해성190918.exe RFQ.exe PID 1676 wrote to memory of 576 1676 RFQ 견적요청_해성190918.exe RFQ.exe PID 1676 wrote to memory of 576 1676 RFQ 견적요청_해성190918.exe RFQ.exe PID 1676 wrote to memory of 576 1676 RFQ 견적요청_해성190918.exe RFQ.exe PID 576 wrote to memory of 992 576 RFQ.exe RFQ.exe PID 576 wrote to memory of 992 576 RFQ.exe RFQ.exe PID 576 wrote to memory of 992 576 RFQ.exe RFQ.exe PID 576 wrote to memory of 992 576 RFQ.exe RFQ.exe PID 576 wrote to memory of 992 576 RFQ.exe RFQ.exe PID 576 wrote to memory of 992 576 RFQ.exe RFQ.exe PID 576 wrote to memory of 992 576 RFQ.exe RFQ.exe PID 1312 wrote to memory of 884 1312 Explorer.EXE svchost.exe PID 1312 wrote to memory of 884 1312 Explorer.EXE svchost.exe PID 1312 wrote to memory of 884 1312 Explorer.EXE svchost.exe PID 1312 wrote to memory of 884 1312 Explorer.EXE svchost.exe PID 884 wrote to memory of 1500 884 svchost.exe cmd.exe PID 884 wrote to memory of 1500 884 svchost.exe cmd.exe PID 884 wrote to memory of 1500 884 svchost.exe cmd.exe PID 884 wrote to memory of 1500 884 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ 견적요청_해성190918.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 견적요청_해성190918.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "RFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RFQ.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RFQ.exe"C:\Users\Admin\AppData\Roaming\RFQ.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\RFQ.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
cd70300691bc9f2a261dc6b814ea31a0
SHA1255a24ace53039f262cc74bcda27541a4c3eeaaf
SHA2565b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
SHA512f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
cd70300691bc9f2a261dc6b814ea31a0
SHA1255a24ace53039f262cc74bcda27541a4c3eeaaf
SHA2565b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
SHA512f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5
-
C:\Users\Admin\AppData\Roaming\RFQ.exeMD5
cd70300691bc9f2a261dc6b814ea31a0
SHA1255a24ace53039f262cc74bcda27541a4c3eeaaf
SHA2565b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
SHA512f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5
-
\Users\Admin\AppData\Roaming\RFQ.exeMD5
cd70300691bc9f2a261dc6b814ea31a0
SHA1255a24ace53039f262cc74bcda27541a4c3eeaaf
SHA2565b578a81fa5276232529484ff00db9fca64a7879ab4a7abc652c9d0d3e1461ba
SHA512f3c86b554d45f0d0cc67be9ed25025411d47ed513fb0f72978e952c2fcbf20357ee55f1754dc7961afd1e0fc07149dfd38709c0205ad50fccdf7fdf97de981a5
-
memory/576-79-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/576-72-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/576-78-0x00000000007F0000-0x00000000007FB000-memory.dmpFilesize
44KB
-
memory/576-69-0x0000000000000000-mapping.dmp
-
memory/576-77-0x0000000004D51000-0x0000000004D52000-memory.dmpFilesize
4KB
-
memory/576-74-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/884-89-0x0000000000000000-mapping.dmp
-
memory/884-91-0x0000000000260000-0x0000000000268000-memory.dmpFilesize
32KB
-
memory/884-94-0x00000000004C0000-0x000000000054F000-memory.dmpFilesize
572KB
-
memory/884-93-0x0000000000640000-0x0000000000943000-memory.dmpFilesize
3.0MB
-
memory/884-92-0x00000000000C0000-0x00000000000E8000-memory.dmpFilesize
160KB
-
memory/992-85-0x0000000000120000-0x0000000000130000-memory.dmpFilesize
64KB
-
memory/992-80-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/992-81-0x000000000041D020-mapping.dmp
-
memory/992-84-0x0000000000B10000-0x0000000000E13000-memory.dmpFilesize
3.0MB
-
memory/992-87-0x00000000001A0000-0x00000000001B0000-memory.dmpFilesize
64KB
-
memory/1016-66-0x0000000000000000-mapping.dmp
-
memory/1312-86-0x0000000004CC0000-0x0000000004E13000-memory.dmpFilesize
1.3MB
-
memory/1312-88-0x0000000004F70000-0x0000000005062000-memory.dmpFilesize
968KB
-
memory/1312-95-0x00000000069D0000-0x0000000006B46000-memory.dmpFilesize
1.5MB
-
memory/1500-90-0x0000000000000000-mapping.dmp
-
memory/1628-65-0x0000000000000000-mapping.dmp
-
memory/1676-64-0x00000000004A0000-0x00000000004C1000-memory.dmpFilesize
132KB
-
memory/1676-67-0x0000000004C81000-0x0000000004C82000-memory.dmpFilesize
4KB
-
memory/1676-62-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/1676-60-0x0000000001060000-0x0000000001061000-memory.dmpFilesize
4KB